Bumble, Match Group Hit by Data Security Incident, ShinyHunters Claims Responsibility

Dating-app companies Bumble and Match Group acknowledged data security breaches after the ShinyHunters ransomware group claimed to have breached the companies’ internal networks and stolen confidential data.

 

Recently, the ShinyHunters ransomware group said it infiltrated the internal network of Bumble and stole 30GB of compressed files stored in Google Drive and Slack. 

 

Acknowledging the claims, Bumble said it contacted law enforcement after a contractor’s account was compromised in a phishing attack, resulting in brief unauthorised access to a limited portion of its network.

 

A company spokesperson told Bloomberg that the access has since been terminated and did not affect its member database, user accounts, the Bumble app, private messages, or dating profiles.

 

ShinyHunters also claimed to have breached Match Group’s infrastructure, which operates dating services including Tinder, Hinge, and OkCupid, and stole 1.7GB of compressed data containing 10 million records.

 

 

Cybernews said it examined data samples attached to ShinyHunters’ post and determined they contained personal customer data, limited employee information, and internal company records.

 

According to the researchers, one sample associated with the Hinge dating app included files detailing user matches and around 100 records of matched users’ profile data, such as names and biographical information.

 

“The sample includes lists of dating profiles, logs of profile changes, but some documents do not indicate which dating app the records belong to. Many fields are filled with testing data and duplication. However, phone numbers and auth tokens are present as well and did not duplicate,” the researchers said.

 

Match Group confirmed the data security incident to BleepingComputer, saying it involved a limited amount of user data and that affected users were being notified. A company spokesperson added there was no evidence that login credentials, financial information, or private communications were accessed.

 

“We are aware of claims being made online related to a recently identified security incident.

 

“Match Group takes the safety and security of our users seriously and acted quickly to terminate the unauthorised access,” the company spokesperson added.